Last active
August 29, 2015 14:04
-
-
Save nathansmith/a89c98b74e7a9ad242ce to your computer and use it in GitHub Desktop.
Paste this into browser console, to illustrate why arbitrary script execution is bad.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (function(d) { | |
| 'use strict'; | |
| // DOM elements. | |
| var body = d.body; | |
| var html = d.documentElement; | |
| var head = d.head || d.getElementsByTagName('head')[0]; | |
| // Style attributes. | |
| var b = body.style; | |
| var h = html.style; | |
| // Dimensions. | |
| var y = '100%'; | |
| var x = y+' '+y; | |
| // Image URL. | |
| var u = 'url(http://f.cl.ly/items/1L150h2J2d3l0E3K1B3i/f.gif)'; | |
| // Destroy <head> and <body> content. | |
| head.innerHTML = ''; | |
| body.innerHTML = ''; | |
| // Zero out margin/padding. | |
| b.margin = 0; | |
| b.padding = 0; | |
| // Make page full height. | |
| h.height = y; | |
| b.height = y; | |
| // Ensure background covers. | |
| b.backgroundSize = x; | |
| // Add the GIF. | |
| b.backgroundImage = u; | |
| })(this.document); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Screenshot:
http://cl.ly/image/0L0k0H2x0u3h